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Amendments to the Claims 

This listing of claims will replace all prior versions, and listings, of claims in the 
application. 

1. (Currently Amended) A method for providing access management 
through use of a pluraHty of server machines associated with different locations, said 
method comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine at a first location; 
authenticating a user of the first client machine at the first location; 
authenticating the first client machine; 

retrieving at the first server machin e, based on the success of said authenticating 
of the user and authenticating of the first client machine, a user key permitting access to 
an individuallv encrypted sub-header of the secured item if said auth e nticating of the 
user and authenticating of the first client machine are GucccGsful , the encrypted sub- 
header including access rules for the secured item, the sub-header selected, from a group 
of individually encrypted sub-headers corresponding to other users or groups, based on 
the sub-header's corresponding correspondence to the user or to a group to which the 
user belongs based on an identifier locat e d within the sub header ; 

permitting access to the secure item via the first location if based on success of 
said authenticating of the user and authenticating of the first client machine are 
successful , and further if allowed based on allowability by the access rules; 

permitting access to the secure item via the first server machine if based on said 
permitting access to the secure system via the first location p e nnits permitting the user to 
gain access to the secure item fi-om the first location; and 
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preventing access to the secure item via the first server machine if based on said 

permitting access to the secure system via the first location do e s not permit not 

permitting the user to gain access to the secure item from the first location. 

2. (Previously Presented) The method as recited in claim 1, wherein said 
permitting access to the secure system via the first location comprises: 

obtaining access privileges associated with the user to determine at least one or 
more permitted locations for the user; and 

determining whether the user is permitted to gain access to the secure item from 
the first location based on the permitted locations associated with the user. 

3. (Currently Amended) The method as recited in claim 1, whereinr4f 
permitted permission by said permitting access to the secure system via the first 
location[[,]] further comprises allowing access to the secure item from the first location 
via the first client machine and the first server machine. 

4. (Currently Amended) The method as recited in claim 1, wherein^-4f 
permitt e d permission by said permitting access to the secure item via the first server 
machine[[,]] further comprises allowing access to the secure item from the first location 
via the first client machine and the first server machine. 

5. (Currently Amended) The method as recited in claim 1, further 
comprising: 
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preventing access to the secure item via any of the server machines other than the 
first server machine if based on said permitting access to the secure item via the first 
server machine p e rmits permitting the user to gain access to the secure item from the first 
location. 



wherein said permitting access to the secure system via the first location 
comprises determining whether the user is permitted to gain access to the secure item via 
the first client machine and the first server machine, and 

wherein said permitting access to the secure item via the first server machine 
operates to permit the user to gain access to the secure item via the first cUent machine 
and the first server machine if based on said permitting access to the secure system via 
the first location d e termine s determining that the user is permitted to gain access to the 
secure item via both the first chent machine and the first server machine. 

7. (Currently Amended) The method as recited in claim 1, 
wherein said permitting access to the secure system via the first location 
comprises determining whether the user is permitted to gain access to the secure item via 
the first server machine, and 

wherein said permitting access to the secure item via the first server machine 
operates to permit the user to gain access to the secure item via the first server machine if 
based on said permitting access to the secure system via the first location determines 
determining that the user is permitted to gain access to the secure item via the first server 
machine. 



6. 



(Currently Amended) The method as recited in claim 1, 
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8. (Currently Amended) The method as recited in claim 1, 

wherein said permitting access to the secure system via the first location 
comprises determining whether the user is permitted to gain access to the secure item via 
the first client machine, and 

wherein said permitting access to the secure item via the first server machine 
operates to permit the user to gain access to the secure item via the first client machine if 
based on said permitting access to the secure system via the first location determines 
determining that the user is permitted to gain access to the secure item via the first client 
machine. 

9. (Currently Amended) The method as recited in claim 1, further 
comprising: 

preventing the user from gaining access to the secure item via any of the server 
machines other than the first server machine if based on said permitting access to the 
secure system via the first location determines determining that the user is pennitted to 
gain access to the secure item from the first location. 

10. (Currently Amended) The method as recited in claim 9, wherein said 
preventing the user from gaining access to the secure item via any of the server machines 
other than the first server machine comprises reconfiguring at least any one of the server 
machines that previously permitted the user to gain access to the secure item 
therethrough. 
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11. (Previously Presented) The method as recited in claim 10, wherein said 
permitting access to the secure item via the first server machine comprises reconfiguring 
the first server machine to permit access by the user to the secure item via the first server 
machine. 

12. (Previously Presented) The method as recited in claim 11, wherein said 
permitting access to the secure system via the first location comprises: 

obtaining access privileges associated with the user to determine at least one or 
more permitted locations for the user; and 

determining whether the user is permitted to gain access to the secure item from 
the first location based on the permitted locations associated with the user. 

13. (Previously Presented) The method as recited in claim 1, wherein said 
pemiitting access to the secure item via the first server machine comprises reconfiguring 
the first server machine to permit access by the user to the secure item via the first server 
machine. 

14. (Previously Presented) The method as recited in claim 1, wherein the 
secure item is a secured file, the secured file having a format that comprises a header 
including security information as to who and how access to the secure item is permitted; 
an encrypted data portion including data of the secured file encrypted with a file key 
according to a predetermined cipher scheme, and wherein the header is attached to the 
encrypted data portion to generate the secured file. 
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15. (Previously Presented) The method as recited in claim 14, wherein the 
secxirity information in the header of the secured file facilitates the restricted access to 
the secured file. 

16. (Previously Presented) The method as recited in claim 15, wherein the 
security information in the header of the secured file points to or includes the access 
rules and a file key. 

17. (Previously Presented) The method as recited in claim 14, wherein the 
security information is encrypted with a user key associated with the user. 

18. (Previously Presented) The method as recited in claim 14, wherein the 
security information includes the file key and access rules to the restricted access to the 
secured file. 

19. (Currently Amended) The method as recited in claim 18, wherein the file 
key is retrieved to decrypt the encrypted data portion in the secured file if based on 
access privilege of the user is being within access permissions by the access rules. 

20. (Previously Presented) The method as recited in claim 18, wherein the 
access rules are expressed in a markup language. 

21. (Currently Amended) A method for providing access management 
through use of a distributed network of server machines, said method comprising: 
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receiving, at a first server machine of the plurality of server machines, an access 

request to access a secure item firom a first client machine; 

authenticating a user of the client machine; 

authenticating the first client machine; 

upon successfiiUy authenticating the user and authenticating the first client 
machine, retrieving at the first server machine a user key permitting access to an 
individually encrypted sub-header of the secure item, the encrypted sub-header including 
access rules for the secure item, the sub-header selected, from a group of individually 
encrypted sub-headers corresponding to other users or groups, based on the sub-header's 
corresponding correspondence to the user or to a group to which the user belongs based 
on an identifier locat e d within the sub header ; 

retrieving access privileges associated with the user; 

determining whether the user is permitted to gain access to the secure item via the 
first server machine based on success of said authenticating the user and said 
authenticating the first client machine, and further based on allowability by the access 
privileges and access rules when said auth e nticating the user and said auth e nticating the 
first client machin e ar e successful ; 

permitting access to the secure item via the first server machine when based on 
said determining whether the user is permitted to gain access to the secure item via the 
first server machine det e rmin es determining that the user is permitted to gain access to 
the secure item via the first server machine; and 

preventing access to the secure item via the first server machine when based on 
said determining whether the user is permitted to gain access to the secure item via the 
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first server machine determin es determining that the user is not permitted to gain access 

to the secure item via the first server machine. 

22. (Currently Amended) The method as recited in claim 21, further 
comprising: 

preventing access to the secure item via any of the server machines other than the 
first server machine when based on said determining whether the user is permitted to 
gain access to the secure item via the first server machine d e t e rmines detemiining that 
the user is permitted to gain access to the secure item via the first server machine. 

23 . (Currently Amended) The method as recited in claim 2 1 , 

wherein said determining whether the user is permitted to gain access to the 
secure item via the first server machine fiirther determines whether the user is permitted 
to gain access to the secure item via the first client machine, and 

wherein said permitting access to the secure item via the first server machine 
operates to permit the user to gain access to the secure item via the first client machine 
and the first server machine when based on said determining whether the user is 
permitted to gain access to the secure item via the first server machine det e rminos 
determining that the user is permitted to gain access to the secure item via both the first 
client machine and the first server machine. 

24. (Currently Amended) The method as recited in claim 23, further 
comprising: 
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preventing access to the secure item via any of the server machines other than the 

jSrst server machine when based on said determining whether the user is permitted to 

gain access to the secure item via the first server machine dotormin es determining that 

the user is permitted to gain access to the secure item via the first server machine. 

25. (Currently Amended) The method as recited in claim 24, wherein said 
preventing access to the secure item via any of the server machines other than the first 
server machine comprises reconfiguring at least any one of the server machines that 
previously permitted the user to gain access to secure items therethrough. 

26. (Previously Presented) The method as recited in claim 25, wherein said 
permitting access to the secure item via the first server machine comprises reconfiguring 
the first server machine to permit access by the user to the secure item via the first server 
machine. 

27. (Previously Presented) The method as recited in claim 21, wherein said 
permitting access to the secure item via the first server machine comprises reconfiguring 
the first server machine to permit access to the secure item via the first server machine. 

28. (Previously Presented) The method as recited in claim 21, wherein the 
secure item is a secured file, the secured file having a format that comprises a header 
including security information as to who and how access to the secured file is pennitted; 
an encrypted data portion including data of the secured file encrypted with a file key 
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according to a predetermined cipher scheme, and wherein the header is attached to the 

encrypted data portion to generate the secured file. 

29. (Previously Presented) The method as recited in claim 28, wherein the 
seciuity information in the header of the secured file facilitates the restricted access to 
the secured file. 

30. (Previously Presented) The method as recited in claim 28, wherein the 
security information is encrypted with a user key associated with the user, 

31. (Previously Presented) The method as recited in claim 28, wherein the 
security information includes the file key and access rules to the restricted access to the 
secured file. 

32. (Currently Amended) The method as recited in claim 28, wherein the file 
key is retrieved to decrypt the encrypted data portion in the secured file when based on 
access privilege of the user is being within access permissions by the access rules. 

33. (Previously Presented) The method as recited in claim 31, wherein the 
access rules are expressed in a markup language. 

34. (Currently Amended) A tangible computer-readable medium having 
computer-executable instructions stored thereon that, if executed by to cause a 
computing devic e, cause the computing dovico to perform a method for providing access 
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management to secured content through use of a plurahty of server machines associated 

with different locations, the method comprising: 

receiving, at a first server machine of the plurality of server machines, an access 
request to access a secure item from a first client machine at a first location; 

authenticating a user of the first client machine at the first location; 

authenticating the first client machine; 

retrieving at the first server machine , based on the success of said authenticating 
of the user and authenticating of the first client machine, a user key permitting access to 
an individually encrypted sub-header of the secured item, the encrypted sub-header 
including access rules for the secure item if said authenticating of the user and the first 
client machine are Guccossfiil , the sub-header selected, from a group of individuallv 
encrvpted sub-headers corresponding to other users or groups, based on the sub-header's 
corresponding correspondence to the user or to a group to which the user belongs based 
on an identifier locat e d within the sub header ; 

determining whether access to the secure item via the first location is permitted if 
based on success of said authenticating the first client machine and the user are 
successful , and fiirther based on allowabilitv bv the access rules; 

permitting access to the secure item via the first server machine if based on said 
determining determines that the user is permitted to gain access to the secure item from 
the first location; and 

preventing access to the secure item via the first server machine if based on said 
determining d e t e rmine s that the user is not permitted to gain access to the secure item 
from the first location. 
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35. (Currently Amended) A tangible computer-readable medium having 
instructions stored thereon for providing access management through use of a distributed 
network of server machines, the instructions comprising: 

instructions for receiving to receive , at first server machine of the plurality of 
server machines, an access request to access a secure item from a first client machine; 

instructions for authenticating to authenticate a user of the client machine; 

instructions for auth e nticating to authenticate the first client machine; 

instructions for retrieving to retrieve at the first server machine , based on the 
success of said authenticating of the user and authenticating of the first client machine, a 
user key permitting access to an individuallv encrypted sub-header of the secured item, 
the encrypted sub-header including access mles for the secure item if said authenticating 
of the user and th e first client machine are succesGful , the sub-header selected, from a 
group of individuallv encrypted sub-headers corresponding to other users or groups, 
based on the sub-header's correoponding correspondence to the user or to a group to 
which the user belongs based on an identifier located within the sub header ; 

instructions for retri e ving to retrieve access privileges associated with the user; 

instructions for determining whether the access to the secure item via the first 
server machine is permitted based on success of said instructions for authenticating the 
first client machine and the user, and further based on allowability bv the access 
privileges and access rules if said comput e r program code for auth e nticating the first 
client machin e and th e user or e successful ; 

instructions for p e rmit ting to permit access to the secure item via the first server 
machine if based on said computer program code for determining d e t e rmine s making a 
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determination that the user is permitted to gain access to the secure item via tiie first 

server machine; and 

instructions for prev e nting to prevent access to the secure item via the first server 
machine if based on said computer program code for determining detorminos making a 
determination that the user is not permitted to gain access to the secure item via the first 
server machine. 

36. (Currently Amended) An access control system that restricts access to a 
secure item, said system comprising: 

a central server having a server module that provides overall access control; and 

a plurality of local servers, each of said servers including a local module that 
provides local access control, 

wherein the access control, performed by said central server or said local servers, 
operates to permit or deny access requests to secured items by requestors, and 

wherein, based on information stored in an individually encrypted sub-header of 
a secure item, the Gub header corresponding to th e given requestor or to a group to which 
the r e questor belongs based on an identifier locat e d within the sub header, a given 
requestor[[,]] is permitted to access the secure item through one or more of said local 
servers , and 

wherein the individually encrypted sub-header is selected for decryption by the 
given requestor from a group of one or more additional individually encrypted sub- 
headers corresponding to other requestors or groups to which the other requestors belong 
based on correspondence of the individually encrypted sub-header to an identifier for the 
given requestor or to a group to which the requestor belongs , is only able to access the 
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secure item using only a singlo one of said local servers or the central serv^er such that the 

giv e n requ e stor is only permitt e d to access the secure item through at most one of said 

local serv^ers at a tim e. 

37. (Previously Presented) The access control system as recited in claim 36, 
wherein said access control system couples to an enterprise network to restrict access to 
the secure item, which comprises a secured file, stored therein. 

38. (Previously Presented) The access control system as recited in claim 37, 
wherein the access requests are at least primarily processed in a distributed manner by 
said local servers. 

39. (Currently Amended) The access control system as recited in claim 38, 
wherein if the access requ e sts are proc e ss e d by said local serv^ers, the requestors gain 
access to the secured files without having to access said central server based on 
processing of the access requests by said local servers . 

40. (Previously Presented) The access control system as recited in claim 37, 
wherein the local module is a copy of the server module so any of the local modules 
operate independently of said central server and other of said local servers. 

41. (Previously Presented) The access control system as recited in claim 37, 
wherein the local module is a subset of the server module. 
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42. (Currently Amended) The access control system as recited in claim 37, 
wherein access permissions for said local servers is dynamically configured to pass a 
requestor from one of said local servers to another of said local servers, thereby enabling 
access control to be performed by the another of said local servers such as if a change of 
the location of the requesto r changes . 

43. (Previously Presented) The access control system as recited in claim 37, 
wherein the secured files are secured by encryption of the secure item. 

44. (Previously Presented) The access control system as recited in claim 37, 
wherein the secure item is secured by encryption. 



Atty. Dkt. No. 2222.5390003 



